More groups of Nova Scotians affected by data theft, minister says

The Nova Scotia government announced on Wednesday that it has found more members of the public and public service affected by the personal information security breach that occurred on the last two days of May.

“We are confident that we have identified all groups of Nova Scotians from whom sensitive personal information has been stolen,” Colton LeBlanc, minister responsible for the government’s cybersecurity and digital solutions, said in a press briefing.

Since the last briefing, the province has found approximately 13,000 active employees of regional centers for education and the Conseil scolaire acadien provincial who had personal information stolen in the MOVEit file transfer service breach and theft by cybercriminals.

The 13,000 include teachers and administrative, human resources and finance staff. Hacked information includes name, address, social security number, retirement payments, and gender.

The teachers in the group announced on Wednesday are in addition to the list of certified and permitted teachers announced on June 9, although there may be overlap, the minister said.

Others identified since the June 9 briefing include 480 individuals in the prescription surveillance program. This includes health card numbers, personal health information, and demographic information. This is an update of the previously announced 60 people.

An additional 17,500 water and tax bills with the City of Queens have been added to the theft list, including names, addresses, account numbers, payment amounts and balance due.

More than 100 patients who visited the early labor and assessment ward at IWK Health Center in Halifax have had their personal health information stolen, including names, dates and times of visit, and reasons for the visit.

Five students from a file held by the Department of Labor, Skills and Immigration had their names, addresses, social security numbers, phone numbers and dates of birth compromised, and two students had their names, institutions and student ID numbers stolen. .

The Elections Nova Scotia voter roll was also on MOVEit so it could be shared with political parties. That was shared in a way that made it inaccessible, and the investigation has shown that it was not compromised.

“All of this is in addition to the groups announced at our press conferences last week,” LeBlanc said.

At an earlier briefing, LeBlanc said the government had determined that as many as 100,000 current and former employees of Nova Scotia Health, the IWK and the public service had personal information stolen.

In a subsequent briefing, he said investigators found the personal information records of thousands of other Nova Scotians had been identified as part of the cyber theft.

“Our focus since we became aware of this vulnerability has been simple: contain the breach, identify the impact, inform the public and initiate the reporting process,” said LeBlanc. “In an environment where information is constantly changing, we have done our best to be as transparent as possible.”

The minister said he is aware that many want to know the total number of people affected, but that number will be difficult to confirm due to the amount of overlap with one person appearing on multiple lists.

“We’re most concerned about educating people, so that’s what we’re devoting our time and attention to,” LeBlanc said. “The first notification letters will go out by the end of the week to one of the most affected vulnerable groups (people affected by the Community Service Department.) We will continue to send them (notifications) in the coming weeks and months.

The government will provide credit monitoring and fraud protection to anyone contacted.

The minister said this is the last scheduled press conference on the matter, but the public will be regularly updated on the website https://novascotia.ca/privacy-breach/

“It’s been a good thing to have four press conferences so far, but I don’t understand the reason for ending them at this point,” Liberal critic Braedon Clark said after the press conference.

“Based on what we’ve heard today, I don’t think this is over by any means. Those affected have not even been notified.”

Clark said he was also concerned that those affected will be contacted by mail, which is a slow process.

Clop, the ransomware cybercriminal gang that claimed responsibility for the theft, has posted on its website that the stolen Nova Scotia data has been deleted. But cyber experts say that a criminal enterprise like Clop cannot be trusted.

LeBlanc said the government has not been asked for a ransom.

LeBlanc said Nova Scotians must take the steps they need to keep information safe because while this is the first major breach the department has faced, it most likely won’t be the last.

Deputy Minister Natasha Clarke said the government is still using MOVEit, adding that the software used to interact with the service has been refreshed and the government has applied a number of software updates.

“It’s being used by a number of critical government departments,” Clarke said of MOVEit. “We applied the same patches that other jurisdictions that use the same software have. We have no reason to believe that we have any further vulnerabilities. We have added additional protections and monitoring.”